× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 605f3b5bab271ab2d956e1295ee22c899d58b2dd8812f1f7bdd9b718c55b9745
File name: crypted.120.exe_ewG
Detection ratio: 0 / 56
Analysis date: 2015-08-07 07:52:56 UTC ( 3 years, 3 months ago ) View latest
Antivirus Result Update
Ad-Aware 20150807
AegisLab 20150807
Yandex 20150806
AhnLab-V3 20150807
Alibaba 20150803
ALYac 20150807
Antiy-AVL 20150807
Arcabit 20150807
Avast 20150807
AVG 20150807
Avira (no cloud) 20150807
AVware 20150807
Baidu-International 20150806
BitDefender 20150807
Bkav 20150806
ByteHero 20150807
CAT-QuickHeal 20150807
ClamAV 20150806
Comodo 20150807
Cyren 20150807
DrWeb 20150807
Emsisoft 20150807
ESET-NOD32 20150807
F-Prot 20150807
F-Secure 20150807
Fortinet 20150807
GData 20150807
Ikarus 20150807
Jiangmin 20150806
K7AntiVirus 20150807
K7GW 20150807
Kaspersky 20150807
Kingsoft 20150809
Malwarebytes 20150807
McAfee 20150807
McAfee-GW-Edition 20150806
Microsoft 20150807
eScan 20150807
NANO-Antivirus 20150807
nProtect 20150806
Panda 20150806
Qihoo-360 20150807
Rising 20150731
Sophos AV 20150807
SUPERAntiSpyware 20150807
Symantec 20150807
Tencent 20150809
TheHacker 20150805
TotalDefense 20150807
TrendMicro 20150807
TrendMicro-HouseCall 20150807
VBA32 20150806
VIPRE 20150807
ViRobot 20150807
Zillya 20150806
Zoner 20150807
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification A certificate was explicitly revoked by its issuer.
Signing date 8:25 AM 8/7/2015
Signers
[+] AVTOZVIT Scientific Production Private Company
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer COMODO RSA Code Signing CA
Valid from 1:00 AM 7/20/2015
Valid to 12:59 AM 7/20/2016
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint FBEC5B6535B0CFCEB7E14F02CF2EF91FFFDE20A1
Serial number 00 86 F4 B4 B5 45 62 38 17 6D 8D DF 3A C6 6C 1F 7E
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 5/9/2013
Valid to 12:59 AM 5/9/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] COMODO SECURE™
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 1:00 AM 1/19/2010
Valid to 12:59 AM 1/19/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Counter signers
[+] COMODO Time Stamping Signer
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 1:00 AM 5/5/2015
Valid to 12:59 AM 1/1/2016
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint DF946A5E503015777FD22F46B5624ECD27BEE376
Serial number 00 9F EA C8 11 B0 F1 62 47 A5 FC 20 D8 05 23 AC E6
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 7:31 PM 7/9/1999
Valid to 7:40 PM 7/9/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2006-10-16 08:02:36
Entry Point 0x0003581E
Number of sections 3
.NET details
Module Version ID 84e951ed-1e1f-4336-bd27-e5c8d795ff27
PE sections
Overlays
MD5 3be77daad862ef5eda6a4c0a584a630b
File type data
Offset 228864
Size 6808
Entropy 7.49
PE imports
_CorExeMain
Number of PE resources by type
RT_ICON 9
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
TURKISH DEFAULT 1
XHOSA DEFAULT 1
NORWEGIAN BOKMAL 1
ARABIC KUWAIT 1
VIETNAMESE DEFAULT 1
ROMANIAN 1
ARABIC EGYPT 1
FRENCH 1
ENGLISH SPANISH HONDURAS 1
GUJARATI DEFAULT 1
SPANISH GUATEMALA 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
8.0

ImageVersion
0.0

FileVersionNumber
0.0.0.0

LanguageCode
Neutral

FileFlagsMask
0x003f

ImageFileCharacteristics
Executable, 32-bit

CharacterSet
Unicode

InitializedDataSize
16896

EntryPoint
0x3581e

OriginalFileName
PromotePertinenceModernism.exe

MIMEType
application/octet-stream

FileVersion
5..5.43

TimeStamp
2006:10:16 09:02:36+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
PromotePertinenceModernism.exe

ProductVersion
5..5.43

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
211456

FileSubtype
0

ProductVersionNumber
0.0.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

AssemblyVersion
5..5.43

File identification
MD5 ac64211574eb18f40646bcd739fce6c6
SHA1 2566d31d197cb0a3a70341cc784a4d329ba953fe
SHA256 605f3b5bab271ab2d956e1295ee22c899d58b2dd8812f1f7bdd9b718c55b9745
ssdeep
6144:pBsfq+90PwMRR+yWmrpO0xyc6bWgI4if2J:/syucjzyc2dO2J

authentihash 09bf6ee83306ca6d37325e1f737b6e30191b8501a1380d7b2f03c9ba9c5621aa
imphash f34d5f2d4577ed6d9ceec516c1f5a744
File size 230.1 KB ( 235672 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

TrID Win64 Executable (generic) (61.7%)
Win32 Dynamic Link Library (generic) (14.7%)
Win32 Executable (generic) (10.0%)
OS/2 Executable (generic) (4.5%)
Generic Win/DOS Executable (4.4%)
Tags
revoked-cert peexe assembly signed overlay

VirusTotal metadata
First submission 2015-08-07 07:52:56 UTC ( 3 years, 3 months ago )
Last submission 2015-08-12 12:17:40 UTC ( 3 years, 3 months ago )
File names crypted.120.exe_ewG
VirusShare_ac64211574eb18f40646bcd739fce6c6
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R047C0VHF15.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
HTTP requests
DNS requests
TCP connections